[tor-bugs] #21014 [Metrics/Censorship analysis]: Turkey blocking of direct connections, 2016-12-12

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Dec 18 19:11:09 UTC 2016 

#21014: Turkey blocking of direct connections, 2016-12-12
-------------------------------------------+------------------------------
 Reporter:  mrphs                          |          Owner:  metrics-team
     Type:  task                           |         Status:  new
 Priority:  Medium                         |      Milestone:
Component:  Metrics/Censorship analysis    |        Version:
 Severity:  Normal                         |     Resolution:
 Keywords:  censorship block tr Turkey UX  |  Actual Points:
Parent ID:                                 |         Points:
 Reviewer:                                 |        Sponsor:
-------------------------------------------+------------------------------

Old description:

> After getting some reports on twitter about Tor being blocked in Turkey
> and some chat on IRC, <bypassemall> aka <trdpi> aka <kzdpi> ran some
> tests and found some interesting information about how Turkey is blocking
> vanilla Tor connections. I paste their findings here:
>
> {{{
>
> 16:48 < trdpi> 10 connections died in state handshaking (TLS) with SSL
> state SSLv2/v3 read server hello A in HANDSHAKE
> 16:48 < trdpi> after less than 10 seconds
> ...
> 16:55 < trdpi> this isp injects rst it seems
> 16:56 < trdpi> to both side, as i got 2 rst one legit and 2 not
> 16:57 < mrphs> oh apparently today is an special day in turkey
> ...
> 17:00 < trdpi> telneting to or port, no rsts. it triggered by something
> more than ip:port connection
> 17:01 < trdpi> yay, window trick for split req works for tr
> 17:02 < trdpi> magic tool allows to bypass vanilla tor censorship
> 17:04 < trdpi> so it's about ciphersuits or something
> 17:07 < trdpi> it's like kz, but obfs4 works
> 17:07 < trdpi> and kz do not rsts
> 17:07 < trdpi> it controlls connection
> 17:07 < trdpi> and tr like do not controlls and to inject fraud only
>
> }}}

New description:

 Turkey Blocks article: https://turkeyblocks.org/2016/12/18/tor-blocked-in-
 turkey-vpn-ban/

 After getting some reports on twitter about Tor being blocked in Turkey
 and some chat on IRC, <bypassemall> aka <trdpi> aka <kzdpi> ran some tests
 and found some interesting information about how Turkey is blocking
 vanilla Tor connections. I paste their findings here:

 {{{

 16:48 < trdpi> 10 connections died in state handshaking (TLS) with SSL
 state SSLv2/v3 read server hello A in HANDSHAKE
 16:48 < trdpi> after less than 10 seconds
 ...
 16:55 < trdpi> this isp injects rst it seems
 16:56 < trdpi> to both side, as i got 2 rst one legit and 2 not
 16:57 < mrphs> oh apparently today is an special day in turkey
 ...
 17:00 < trdpi> telneting to or port, no rsts. it triggered by something
 more than ip:port connection
 17:01 < trdpi> yay, window trick for split req works for tr
 17:02 < trdpi> magic tool allows to bypass vanilla tor censorship
 17:04 < trdpi> so it's about ciphersuits or something
 17:07 < trdpi> it's like kz, but obfs4 works
 17:07 < trdpi> and kz do not rsts
 17:07 < trdpi> it controlls connection
 17:07 < trdpi> and tr like do not controlls and to inject fraud only

 }}}

--

Comment (by dcf):

 dgoulet points to this Turkey Blocks article:
 https://turkeyblocks.org/2016/12/18/tor-blocked-in-turkey-vpn-ban/. They
 tested vanilla, obfs3, and obfs4, and also noted that the apparent rise in
 the metrics graphs may be caused by miscounting. I append some quotations.

 > The Turkey Blocks internet censorship watchdog has identified and
 verified that restrictions on the Tor anonymity network and Tor Browser
 are now in effect throughout Turkey.

 > Other circumvention methods, including Tor’s bridged modes built to
 evade [https://dlshad.net/bypassing-censorship-by-using-obfsproxy-and-
 openvpn-ssh-tunnel/ similar restrictions imposed by the regime in Syria],
 as well as custom VPN deployments, continue to remain available to
 technically skilled users in the short-term.

 > Turkey Blocks finds that the Tor direct access mode is now restricted
 for most internet users throughout the country; Tor usage via bridges
 including obfs3 and obfs4 remains viable, although we see indications that
 obfs3 is being downgraded by some service providers with scope for similar
 on restrictions obfs4. The restrictions are being implemented in tandem
 with apparent degradation of commercial VPN service traffic.

 > Direct Tor access restrictions started around 12 December 2016. Tor’s
 direct mode is now entirely unusable via providers TTNet and UyduNet on
 the residential broadband connections we tested. Deep Packet Inspection
 (DPI) is likely used to disrupt the connection phase, which stalls around
 the 10% mark.
 >
 > Connection is possible using obfs3 and obfs4 Tor bridges with both
 providers. While obfs4 is effective across all configurations, obfs3
 intermittently fails with TTNet.

 > Where we expected a ''fall'' in usage corresponding to widespread
 reports of failure to access the Tor network,  charts instead show a huge
 ''increase'' in Tor usage over the same period.

 > During tests we saw over a hundred connection attempts associated with a
 single user connection request, leading us to favour the theory Tor
 metrics have incorrectly counted these failed attempts in their overall
 usage tally.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21014#comment:14>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list